We can't read your data.
Here's the architecture that makes it true.
"Zero-knowledge" is a claim every vault makes. This page explains ours precisely — what runs where, what we store, and what we could hand over even if we were forced to: ciphertext.
The key hierarchy
Four layers, each wrapping the next. Everything below the first line happens in your browser.
Your passphrase
Argon2idNever leaves your browser, never stored anywhere. Stretched with Argon2id (t=3, 64 MiB memory) and a per-user salt into a key-encryption key.
Key-encryption key (KEK)
in-memory onlyExists only in your browser's memory while you unlock. It wraps and unwraps the master key — and is forgotten the moment it's done.
Master vault key (MVK)
stored as ciphertext32 random bytes that protect everything. Stored on our servers only as ciphertext — wrapped under your KEK, and separately under a key derived from your 24-word recovery phrase.
Per-item data keys
AES-256-GCMEvery vault item gets its own random key, which encrypts its contents with AES-256-GCM and is itself wrapped under the master key. A fresh 12-byte IV on every save.
Changing your passphrase re-wraps the same master key under a new KEK — your items never need re-encrypting, and the old passphrase becomes useless immediately.
What our servers can — and cannot — see
What we hold
- That an account with your email exists
- Encrypted blobs (ciphertext + IVs) we cannot open
- Item types — e.g. "this row is a credential" — to render lists
- Billing metadata, if you subscribe (handled by Stripe)
What we can never see
- Your passphrase — it never leaves your device
- Your 24-word recovery phrase
- Any key able to decrypt your data
- Passwords, account numbers, documents, wishes — any vault content
Defense in depth
Row-Level Security on every table
Every row in our database is scoped to its owner by Postgres Row-Level Security. Security doesn't depend on hiding API keys — it's enforced at the database layer on every query.
Audited, open primitives
We don't invent cryptography. Encryption uses the open-source @noble libraries and @scure BIP-39 — small, auditable, widely reviewed implementations.
No server-side decryption path
There is no admin tool, no support backdoor, no break-glass mode. The code to decrypt your vault on a server does not exist in this product.
Auto-lock, zeroed memory
The unlocked master key lives only in browser memory, auto-locks after 10 minutes, and is overwritten with zeros when the vault locks or you sign out.
The honest trade-off
Real zero-knowledge has a cost: if you lose both your passphrase and your 24-word recovery phrase, your data is unrecoverable — by you, by us, by anyone. A vault we could reset would be a vault we could read. We chose the version that protects you, and we'll remind you to store your recovery phrase safely at every step.